Dear Vincent,
in principal this works, but one has to check all ports. Changing onlg
the single Gateway port is not sufficient, as NJS and TSI are also using
ports. Check the following configuration files:
- gateway.properties: 4004 is the gateway port
- connections: 4444 as below
- njs.properties: 4444 is the port, on which the NJS is listening for
gateway connections, 6667 is the NJS admin port
- njs.idb: 6789 is the TSI port, 4433 is used by the TSI to connecto to
the NJS
- tsi.properties: 6789 and 4433 as above
In total the UNICORE server demo needs 5 different ports (1*Gateway,
2*NJS, 2*TSI), but only the Gateway port has to be visible from the
outside world, i.e. opened in a firewall.
Hence, if you want to run multiple UNICORE demo server installations,
make sure, that not only the Gateway port is different, but all others, too.
Hope this helps.
regards,
Achim
Vincent Bel schrieb:
>Dear Sir,
>
>I have a problem about NJS.
>I use the UNICORE demo 1.0.1. When I start UNICORE Server with
>startup.sh script (or I start script one by one: gateway, then NJS, then
>TSI), there isn't problem. However, if an other user has start an
>UNICORE server on the same computer before (with a different port
>number) the NJS can't start.
>
>Could you help me please?
>
>Thank you
>
>Vincent Bel
>
>
>The end of the log file (NJS log file) is follow:
>
>17:48:31 19/04 S* TSI communications. Failed whilst initialising
>Communicator
>17:48:31 19/04 S* .... Address already in use -------- Exception stack
>trace follows:
>java.net.BindException: Address already in use
> at java.net.PlainSocketImpl.socketBind(Native Method)
> at java.net.PlainSocketImpl.bind(PlainSocketImpl.java:331)
> at java.net.ServerSocket.bind(ServerSocket.java:318)
> at java.net.ServerSocket.<init>(ServerSocket.java:185)
> at java.net.ServerSocket.<init>(ServerSocket.java:97)
> at
>com.fujitsu.arcon.njs.priest.ClassicTSIConnectionFactory.<init>(ClassicTSIConnectionFactory.java:116)
> at
>com.fujitsu.arcon.njs.priest.ClassicTSIConnectionFactory.makeTSIConnectionFactory(ClassicTSIConnectionFactory.java:92)
> at
>com.fujitsu.arcon.njs.priest.TargetSystem$Reader.endAction(TargetSystem.java:1220)
> at
>com.fujitsu.arcon.njs.priest.BatchTargetSystem$Reader.endAction(BatchTargetSystem.java:2383)
> at
>com.fujitsu.arcon.njs.priest.TargetSystem$1.readDefinition(TargetSystem.java:921)
> at
>com.fujitsu.arcon.njs.priest.Missal.processToken(Missal.java:95)
> at
>com.fujitsu.arcon.njs.priest.Seminaries.initialise(Seminaries.java:204)
> at com.fujitsu.arcon.njs.NJS.main(NJS.java:268)
>Fatal NJS error
>
>
>
>
>-------------------------------------------------------
>This SF.Net email is sponsored by: New Crystal Reports XI.
>Version 11 adds new functionality designed to reduce time involved in
>creating, integrating, and deploying reporting solutions. Free runtime info,
>new features, or free trial, at: http://www.businessobjects.com/devxi/728
>_______________________________________________
>Unicore-support mailing list
>Unicore-support@...
>https://lists.sourceforge.net/lists/listinfo/unicore-support
>
>
>
>
--
------------------------------------------
Dr. Achim Streit
Zentralinstitut fuer Angewandte Mathematik
Forschungszentrum Juelich GmbH
D-52425 Juelich
Phone: +49 2461 61-6576
Fax: +49 2461 61-6656
Email: A.Streit@...

Hi,
change the TSI ports on one of the installations. This is done in two config files
1) at the NJS: njs/conf/njs.idb: SOURCE ..... 1234 5678
2) at the TSI tsi/conf/tsi.properties
PS: Two Unicore installations on the same computer? Why don't you and the
other user(s) use the same Unicore installation? :)
Bernd.
Vincent Bel wrote:
>
> I have a problem about NJS.
> I use the UNICORE demo 1.0.1. When I start UNICORE Server with
> startup.sh script (or I start script one by one: gateway, then NJS, then
> TSI), there isn't problem. However, if an other user has start an
> UNICORE server on the same computer before (with a different port
> number) the NJS can't start.
>
--
Dr. Bernd Schuller
ZAM
Forschungszentrum Juelich GmbH
mail b.schuller@...
phone +49 2461 61 8736
fax +49 2461 61 6656

Dear Sir,
I have a problem about NJS.
I use the UNICORE demo 1.0.1. When I start UNICORE Server with
startup.sh script (or I start script one by one: gateway, then NJS, then
TSI), there isn't problem. However, if an other user has start an
UNICORE server on the same computer before (with a different port
number) the NJS can't start.
Could you help me please?
Thank you
Vincent Bel
The end of the log file (NJS log file) is follow:
17:48:31 19/04 S* TSI communications. Failed whilst initialising
Communicator
17:48:31 19/04 S* .... Address already in use -------- Exception stack
trace follows:
java.net.BindException: Address already in use
at java.net.PlainSocketImpl.socketBind(Native Method)
at java.net.PlainSocketImpl.bind(PlainSocketImpl.java:331)
at java.net.ServerSocket.bind(ServerSocket.java:318)
at java.net.ServerSocket.<init>(ServerSocket.java:185)
at java.net.ServerSocket.<init>(ServerSocket.java:97)
at
com.fujitsu.arcon.njs.priest.ClassicTSIConnectionFactory.<init>(ClassicTSIConnectionFactory.java:116)
at
com.fujitsu.arcon.njs.priest.ClassicTSIConnectionFactory.makeTSIConnectionFactory(ClassicTSIConnectionFactory.java:92)
at
com.fujitsu.arcon.njs.priest.TargetSystem$Reader.endAction(TargetSystem.java:1220)
at
com.fujitsu.arcon.njs.priest.BatchTargetSystem$Reader.endAction(BatchTargetSystem.java:2383)
at
com.fujitsu.arcon.njs.priest.TargetSystem$1.readDefinition(TargetSystem.java:921)
at
com.fujitsu.arcon.njs.priest.Missal.processToken(Missal.java:95)
at
com.fujitsu.arcon.njs.priest.Seminaries.initialise(Seminaries.java:204)
at com.fujitsu.arcon.njs.NJS.main(NJS.java:268)
Fatal NJS error

Thanks,
It's my problem,
when I submit a job, which is a command /bin/hostname,
the command localation, i selected "local", not "root"
I just input the command in the space with "/bin/ls",
the result is that, the job is pending.
Now, this time, i select the job location with "root",
the command is ok.
Can you let me some information about an plugin which support CORBA applications
on UNICORE?
The client documents just mentioned it once, i do not know where to dowaload it
and how to use it.
Thanks and Regards,
Lizhe

Dear All:
When I submit a single without dependency to gateway,
the result from job monitor panel, is that
inital status ->pending
a predecessor failed in execution -> never run
What 's wrong with my job?
It does not has a predecessor job.
Can anyone help?
Thanks and regards,
Lizhe

"Bernd Schuller" <b.schuller@...> wrote:
> Hello Thomas,
>
> a lot of questions :)
>
> Thomas Zeiser wrote:
>
>> We have a configuration which can be simplified as follows:
>> - a "gateway" machine which can be seen from the "outside"
>> - several heterogeneous "test machines"
>> [...]
>> - a production cluster consisting of
>> [...]
>
>> From the PBS point of view, I'd would also integrate all "test
>> machines" to an other PBS sever with again just one "pool" where
>> the users again can select via node properties if they want special
>> nodes. [...]
>> I have no idea if the "pool" view is suitable for Unicore as it
>> probably would mean one vsite - in particular how to chose if a
>> certain property is required. "Priority" or "Speed" from the
>> Unicore resource pannel might be a (last and not really
>> transparent) solution ...
> Yes, it would be one Vsite representing one PBS system. The Priorities are
> used to select a certain PBS queue, e.g. if you had two queues "fast" and
> "slow"
> you could map priority "HIGH" to queue "fast" and all the others to "slow".
> As you say, to use this to select certain node types, this is not very
> transparent
> for the user. If you have different architectures (Opteron vs Itanium, x86 vs
> x86_64, etc),
> it might be better to have multiple Vsites.
> There are possible workarounds, such as adding things to script headers, e.g.
> #ITANIUM ONLY PLEASE
> and process these in the TSI, but that is somehow "outside" of Unicore.
>
> Maybe somebody else has a good idea here?
The idea of selecting specific nodes is outside of Unicore. A possibility
is to use Context resources and the IDB to insert the PBS commands (with
help from a TSI).
>
>
>> Back to the configuration from above and Unicore:
>> - the Unicore gateway probably goes to the gateway machine and can
>> serve all vsites (NJS/TSI).
> Yes.
>> Is it a security problem that ordinary users can login to the gateway
>> machine?
> Not really. Check the access rights on the gateway files, though.
You need to consider the possibility of users setting fake Gateways to
inserts AJOs into an NJS. The authentication by the NJS is on machine
name/address only, so any user with access to the Gateway machine could
create a fake Gateway. I would recommend removing use access.
>
>> Should we put the Unicore gateway on a dedicated machine? Must the Unicore
>> gateway
>> run as root?
> The gateway can be on a dedicated server, but it's not required. The gateway
> has an open port to
> the internet, so in secure environments it is the only component "outside" the
> firewall.
> Also, in case of high load it may be better to have a dedicated server, and to
> give the Java VM
> enough memory and set the thread limit sufficiently high.
> The gateway should run a normal user.
>
>> - the production cluster will be one (or two?) vsite. I'm not sure on which
>> machine(s) to put the NJS and TSI.
> The NJS should have its own server, which may be the login machine (you need
> Java).
> For our production system (p690 cluster running under AIX + LoadLeveler), we
> have separate (Linux) gateway and NJS servers.
>
> The TSI MUST run as root on the target machine/cluster, since it does setuid
> to the actual user, executes things,
> calls the batch system, writes files, etc.
>
>> If NJS and TSI are on different machines, which one needs access
>> to the UUDB. If I understand it correctly, only the NJS.
> Yes. The UUDB must be on the NJS machine.
>
>
> Hope this helps a little...
> Bernd.
--
Sven van den Berghe
Fujitsu Laboratories of Europe
+44 208 606 4651

Lizhe,
You may also need to increase the level of logging in the Gateway and NJS
to the highest.
Sven
"Bernd Schuller" <b.schuller@...> wrote:
> Hi Lizhe,
>
> you should be able to follow everything by checking the following log files
> 1) client log in userhome/.unicore/clientlog.txt
> (log level can be set in "Settings/User defaults/")
> 2) gateway log in
> .../gateway/conf/logs/
> 3) NJS log in
> ..../njs/conf/logs/
>
> Especially the NJS log will probably tell you what the problem is.
>
> One source of error might be the following:
> We found a small bug in the demo package (version 1.0), which has been fixed
> in 1.0_1.
> In the file .../njs/conf/njs.idb, there is a reference to
> /usr/local/unicore/FILESPACE, which should be changed to
> /location_you_installed_unicore_in/FILESPACE
>
>
> Best regards,
> Bernd.
>
>
> Lizhe.Wang@... wrote:
>> Dear All:
>> I installed latest version of UNICORE DEMO.
>> I also installed UNICORE client.
>> I started daemon of gateway, njs and tsi, and import the user.pem to the
>> database.
>>
>> Now when I submit a job (simple command, /bin/date), from the client ( in
>> fact,
>> the client and the server is located in the same machine)
>>
>> Some errors appear:
>>
>> Submission of New_job1[11:45:54 04/08/2005] to site DEMO_NJS <NJS> started
>> ...
>>
>> submitting job failed
>> Reason: Gateway has problems with Vsite connection
>>
>> later, another output appears :
>>
>> 11:48:35 04/08/2005: job successfully submitted
>>
>> However, I can not get the output of the job.
--
Sven van den Berghe
Fujitsu Laboratories of Europe
+44 208 606 4651

Hi Lizhe,
you should be able to follow everything by checking the following log files
1) client log in userhome/.unicore/clientlog.txt
(log level can be set in "Settings/User defaults/")
2) gateway log in
.../gateway/conf/logs/
3) NJS log in
..../njs/conf/logs/
Especially the NJS log will probably tell you what the problem is.
One source of error might be the following:
We found a small bug in the demo package (version 1.0), which has been fixed in 1.0_1.
In the file .../njs/conf/njs.idb, there is a reference to
/usr/local/unicore/FILESPACE, which should be changed to /location_you_installed_unicore_in/FILESPACE
Best regards,
Bernd.
Lizhe.Wang@... wrote:
> Dear All:
> I installed latest version of UNICORE DEMO.
> I also installed UNICORE client.
> I started daemon of gateway, njs and tsi, and import the user.pem to the database.
>
> Now when I submit a job (simple command, /bin/date), from the client ( in fact,
> the client and the server is located in the same machine)
>
> Some errors appear:
>
> Submission of New_job1[11:45:54 04/08/2005] to site DEMO_NJS <NJS> started ...
>
> submitting job failed
> Reason: Gateway has problems with Vsite connection
>
> later, another output appears :
>
> 11:48:35 04/08/2005: job successfully submitted
>
> However, I can not get the output of the job.
--
Dr. Bernd Schuller
ZAM
Forschungszentrum Juelich GmbH
mail b.schuller@...
phone +49 2461 61 8736
fax +49 2461 61 6656

Dear All:
I installed latest version of UNICORE DEMO.
I also installed UNICORE client.
I started daemon of gateway, njs and tsi, and import the user.pem to the database.
Now when I submit a job (simple command, /bin/date), from the client ( in fact,
the client and the server is located in the same machine)
Some errors appear:
Submission of New_job1[11:45:54 04/08/2005] to site DEMO_NJS <NJS> started ...
submitting job failed
Reason: Gateway has problems with Vsite connection
later, another output appears :
11:48:35 04/08/2005: job successfully submitted
However, I can not get the output of the job.
Anyone can help?
Lizhe

Hello Thomas,
a lot of questions :)
Thomas Zeiser wrote:
> We have a configuration which can be simplified as follows:
> - a "gateway" machine which can be seen from the "outside"
> - several heterogeneous "test machines"
>[...]
> - a production cluster consisting of
>[...]
> From the PBS point of view, I'd would also integrate all "test
> machines" to an other PBS sever with again just one "pool" where
> the users again can select via node properties if they want special
> nodes. [...]
> I have no idea if the "pool" view is suitable for Unicore as it
> probably would mean one vsite - in particular how to chose if a
> certain property is required. "Priority" or "Speed" from the
> Unicore resource pannel might be a (last and not really
> transparent) solution ...
Yes, it would be one Vsite representing one PBS system. The Priorities are
used to select a certain PBS queue, e.g. if you had two queues "fast" and "slow"
you could map priority "HIGH" to queue "fast" and all the others to "slow".
As you say, to use this to select certain node types, this is not very transparent
for the user. If you have different architectures (Opteron vs Itanium, x86 vs x86_64, etc),
it might be better to have multiple Vsites.
There are possible workarounds, such as adding things to script headers, e.g.
#ITANIUM ONLY PLEASE
and process these in the TSI, but that is somehow "outside" of Unicore.
Maybe somebody else has a good idea here?
> Back to the configuration from above and Unicore:
> - the Unicore gateway probably goes to the gateway machine and can
> serve all vsites (NJS/TSI).
Yes.
> Is it a security problem that ordinary users can login to the gateway machine?
Not really. Check the access rights on the gateway files, though.
> Should we put the Unicore gateway on a dedicated machine? Must the Unicore gateway
> run as root?
The gateway can be on a dedicated server, but it's not required. The gateway has an open port to
the internet, so in secure environments it is the only component "outside" the firewall.
Also, in case of high load it may be better to have a dedicated server, and to give the Java VM
enough memory and set the thread limit sufficiently high.
The gateway should run a normal user.
> - the production cluster will be one (or two?) vsite. I'm not sure on which
> machine(s) to put the NJS and TSI.
The NJS should have its own server, which may be the login machine (you need Java).
For our production system (p690 cluster running under AIX + LoadLeveler), we have separate (Linux) gateway and NJS servers.
The TSI MUST run as root on the target machine/cluster, since it does setuid to the actual user, executes things,
calls the batch system, writes files, etc.
> If NJS and TSI are on different machines, which one needs access
> to the UUDB. If I understand it correctly, only the NJS.
Yes. The UUDB must be on the NJS machine.
Hope this helps a little...
Bernd.
--
Dr. Bernd Schuller
ZAM
Forschungszentrum Juelich GmbH
mail b.schuller@...
phone +49 2461 61 8736
fax +49 2461 61 6656

Dear All!
First of all thanks a lot to those who put together the quick-start
package. It really makes it easy to start with unicore. After
successfully completing the first steps, I'm right now thinking
about how to best setup a (secure) Unicore infrastructure for our
more complex configuration, i.e. which services to put on which
(dedicated) machine, which services to run as root or ordinary
user, etc.
We have a configuration which can be simplified as follows:
- a "gateway" machine which can be seen from the "outside"
- several heterogeneous "test machines"
+ xeon32-1, xeon32-2, xeon32-3
+ xeon64-1, xeon64-2
+ opteron-1, opteron-2
+ itanium-1, itanium-2
- a production cluster consisting of
+ login machines
+ PBS/NFS server (ordinary users are not allowed to login)
+ x86 compute nodes
+ x86_64 compute nodes
Right now, we have PBS running on the production cluster. All
compute nodes belong to one big pool (queue) and users can (if they
want) select via node properties which part (x86/x86_64) they want.
From the PBS point of view, I'd would also integrate all "test
machines" to an other PBS sever with again just one "pool" where
the users again can select via node properties if they want special
nodes. This would ensure a good utilization of the resourses as it
would not be necessary to bind jobs which can run on any system to
a special ressource.
I have no idea if the "pool" view is suitable for Unicore as it
probably would mean one vsite - in particular how to chose if a
certain property is required. "Priority" or "Speed" from the
Unicore resource pannel might be a (last and not really
transparent) solution ...
Back to the configuration from above and Unicore:
- the Unicore gateway probably goes to the gateway machine and can
serve all vsites (NJS/TSI). Is it a security problem that
ordinary users can login to the gateway machine? Should we put the
Unicore gateway on a dedicated machine? Must the Unicore gateway
run as root?
- the production cluster will be one (or two?) vsite. I'm not sure on which
machine(s) to put the NJS and TSI. To the login machines or to the
server where ordinary users cannot login? At least, probably the
TSI has to be run as root, I assume, because it is responsible
for switching the the xuser.
If NJS and TSI are on different machines, which one needs access
to the UUDB. If I understand it correctly, only the NJS.
- and finally the probably most difficult part: the test machines.
Any advice on this? For several reasons, they will get a PBS
server different from the production cluster. The other points can
still be decided.
Well, a lot of questions in a single mail ...
Any comments and suggestions are highly appreciated.
Regards,
thomas
--
Dipl.-Ing. Thomas ZEISER
Regionales Rechenzentrum Erlangen / HPC-Gruppe
Martensstr. 1, 91058 Erlangen, GERMANY
Tel: ++49 9131 85-28737 / Fax: ++49 9131 302941

Hi Daniel,
Daniel Jonathan Hernández Bolaños wrote:
> I have recently sent a mail with the subject "Installation Problems".
> It seems the problems are not related to firewalls or non-authorized
> access to yepes machine. "trueno" was the name of machine where the
> client was running and my user name is "danielh". Is it necessary to
> add my user name or my client-machine to the uudb for connecting and
> how can I do that?
Basically, you need to add the public key of a user certificate to the uudb.
Usually, users generate keys themselves using the UNICORE client's
"Settings/Keystore Editor.../Generate Certification Request" function.
**** These have to be authorised by a certification authority (CA). *****
You can set up a CA yourself using OpenSSL, if you want.
Some info on setting up a CA and on the X509 public key infrastructure using OpenSSL
can be found (for example) here: http://sial.org/howto/openssl/ca/
If you intend setting up a UNICORE Grid involving lots of machines and users, you'll have to set
up your own CA. There are also third-party vendors of certificates (e.g. Verisign), if
that is an option for you.
For testing purposes only(!!!), you can use the NJS test certificate/keystore that comes with the
unicore_demo package, as follows.
1) copy the file ../njs/conf/njs_identity.p12 to your client machine
2) -start the Unicore client and do "Settings/Keystore Editor/Actions/Import keystore"
-select the njs_identity.p12, password is "the!njs"
-choose "yes" when asked whether this should be set as default
3) export the public key:
-click on the new entry ("testnjs") and select "export public key" (choose a filename, say "test.pem")
4) this new pem file can be added to the uudb, (on the NJS machine) using
cd ....../uudb
bin/add test.pem logon_name
where "logon_name" is the user name (on the target system machine) you want to assign to that certificate.
**** Let me stress again that this for testing purposes only. If you do this, please be aware that using
the same procedure I (or everybody else on this mailing list) could access your server, if it were
accessible on the internet(you have already posted the server name). You have been warned...
You might want to review the Unicore tutorial available from http://unicore.sourceforge.net/docs/tutorial_aurora_romberg.pdf
to find out more about the security infrastructure.
Best regards,
Bernd.
--
Dr. Bernd Schuller
ZAM
Forschungszentrum Juelich GmbH
mail b.schuller@...
phone +49 2461 61 8736
fax +49 2461 61 6656

Hi,
I have recently sent a mail with the subject "Installation Problems".
It seems the problems are not related to firewalls or non-authorized
access to yepes machine. "trueno" was the name of machine where the
client was running and my user name is "danielh". Is it necessary to
add my user name or my client-machine to the uudb for connecting and
how can I do that?
In case of certificate authority problems, could you explain me how
can I edit the Keystore Editor basing on the quick start package to
avoid permission problems?(what .pem or .p12 files I should use
because this package comes with these files in the gateway tier, the
njs tier, ...)
Thanks, bye.

Hi,
If you used the "unicore_demo" package the vsite configuration should be fine.
You can check if you can connect to the server by using "telnet" from a command line:
telnet yepes.iac.es 4004
If you see errors (like "Connection refused") you should check the firewall settings on the server.
Are you certain about the user certificate you are using? In our experience most problems
are due to this certificate business :)
Best regards,
Bernd.
Daniel Jonathan Hernández Bolaños wrote:
> I have installed unicore server and client in a computer enviroment
> with the quickstart package, but I have had some problems. I'm not
> able to connect the client to server. When the client is running, I'm
> able to see the server in the server panel by moving the gateways.xml
> file of the server to the .unicore directory.
> I have filled the user profile in the client to read this xml file.
> But when I try connecting to the server, a message appear as follow:
> "Unable to connect the v-site http://yepes.iac.es"; or something
> similar. "Yepes" is the hostname where server is running, and "iac" is
> the domain. I have thought the problem is related to v-site
> configuration (in adittion, I have added to the uddb the user "trueno"
> that is the machine where client is running), but I really don't know
> how to solve this problem.
--
Dr. Bernd Schuller
ZAM
Forschungszentrum Juelich GmbH
mail b.schuller@...
phone +49 2461 61 8736
fax +49 2461 61 6656

Hello!
I have installed unicore server and client in a computer enviroment
with the quickstart package, but I have had some problems. I'm not
able to connect the client to server. When the client is running, I'm
able to see the server in the server panel by moving the gateways.xml
file of the server to the .unicore directory.
I have filled the user profile in the client to read this xml file.
But when I try connecting to the server, a message appear as follow:
"Unable to connect the v-site http://yepes.iac.es"; or something
similar. "Yepes" is the hostname where server is running, and "iac" is
the domain. I have thought the problem is related to v-site
configuration (in adittion, I have added to the uddb the user "trueno"
that is the machine where client is running), but I really don't know
how to solve this problem.
Thanks and waiting for a response...
PD: I'm sorry if my english is not well-understood.

Hi,
users can generate keys themselves using the UNICORE client's
"Settings/Keystore Editor.../Generate Certification Request" function.
These have to be authorised by a certification authority (CA).
You can set up a CA yourself using OpenSSL, if you want.
FZ Juelich offers a small CA (on "best effort" basis)
for testing/project use under https://projects-ca.fz-juelich.de
More info on setting up a CA and on the X509 public key infrastructure using OpenSSL
can be found (for example) here: http://sial.org/howto/openssl/ca/
If you intend setting up a UNICORE Grid involving lots of machines and users, we recommend
setting up your own CA. There are also third-party vendors of certificates (e.g. Verisign), if
that is an option for you.
Best regards,
Bernd Schuller.
Lizhe.Wang@... wrote:
> can anyone let me know to generate keys for UUDB users?
--
Dr. Bernd Schuller
ZAM
Forschungszentrum Juelich GmbH
mail b.schuller@...
phone +49 2461 61 8736
fax +49 2461 61 6656